The Resilience Stack™: A 5-Layer Framework for Cyber Insurance Risk Assessment

The cyber insurance industry has a measurement problem. Underwriters price risk using security ratings that condense an organization’s entire cyber posture into a single letter grade. Compliance teams check boxes against regulatory requirements without connecting those requirements to financial exposure. Brokers submit applications that tell underwriters what coverage the client wants, but not why they need it or what happens if they don’t get it.

Nothing connects threat intelligence to insurance decisions. Nothing traces a line from “there’s a ransomware campaign exploiting VPNs in this sector” to “this is the specific coverage gap it creates” to “here’s the financial impact in euros.”

The Resilience Stack™ is that connection. It’s a five-layer framework that maps the complete journey from external threats to insurance readiness — and back again. Each layer produces measurable, quantifiable outputs that feed the next, creating an end-to-end risk assessment that serves underwriters, brokers, CISOs, and compliance officers with the same data architecture.

This post introduces the framework, explains each layer in detail, and shows how to apply it in practice.

The Problem with Flat Risk Scores

Security rating services — Bitsight, SecurityScorecard, RiskRecon — assign letter grades (A through F) based on externally observable security indicators. These ratings have become ubiquitous in cyber insurance underwriting. A 2024 survey by the Insurance Information Institute found that 78% of cyber insurers use security ratings as a primary input for pricing and selection decisions.

The problem: a letter grade tells you almost nothing useful for insurance underwriting.

Consider two organizations, both rated “B”:

Organization A is a 500-employee financial services firm in Frankfurt. It has 23 internet-facing services, two of which run software with known critical CVEs. It processes 2.4 million PII records. It collects payment card data. It’s classified as an essential entity under NIS2, with compliance obligations that carry penalties up to €10 million. Its ransomware recovery time is estimated at 19 days based on current backup and incident response capabilities. Its P50 financial exposure from a ransomware event is €1.7 million.

Organization B is a 50-employee marketing agency in Lisbon. It has 4 internet-facing services, all patched and current. It holds 12,000 PII records. It has no regulatory obligations beyond GDPR. It’s below the NIS2 size threshold, so compliance requirements don’t apply. Its ransomware recovery time is estimated at 4 days. Its P50 financial exposure from a ransomware event is €89,000.

Same letter grade. Radically different risk profiles. Radically different insurance needs. A flat score collapses critical dimensions — regulatory exposure, financial magnitude, attack surface specificity, insurability — into a single dimension that lacks the granularity required for underwriting decisions.

The Resilience Stack™ doesn’t replace security ratings. It contextualizes them. Each layer adds dimensionality, moving from “what’s the general risk level?” to “what’s the specific financial exposure, regulatory liability, and insurance gap?”

The Resilience Stack™ Explained

The framework comprises five layers, each answering a specific question about cyber risk. The layers flow sequentially: outputs from Layer 1 inform Layer 2, Layer 2 feeds Layer 3, and so on.

Layer 1: THREAT LANDSCAPE — What's happening in the wild?
    ↓
Layer 2: EXPOSURE SURFACE — How visible/vulnerable is the org?
    ↓
Layer 3: REGULATORY POSTURE — Does it meet compliance?
    ↓
Layer 4: FINANCIAL IMPACT — What's the risk in euros?
    ↓
Layer 5: INSURANCE READINESS — How does risk translate to coverage?

For each layer, we’ll examine what it measures, the key data sources, how RESILIENTLY tools address it, and what underwriters should ask.

Layer 1: Threat Landscape

Question: What’s happening in the wild that could affect this organization?

The threat landscape is the external context that shapes all downstream analysis. Before you can assess an organization’s risk, you need to understand what threats are active, which sectors they target, and how they operate.

What It Measures

• Active ransomware campaigns and their initial access vectors
• Emerging CVEs with known exploitation (CISA KEV catalog)
• Threat actor targeting patterns by sector and geography
• Macroeconomic and geopolitical risk trends affecting cyber exposure
• Attack vector evolution (phishing → credential harvesting → lateral movement paths)

Key Data Sources

• CISA Known Exploited Vulnerabilities (KEV) catalog — definitive catalog of vulnerabilities with active exploitation
• NIST National Vulnerability Database (NVD) — CVE scoring and technical details
• ENISA Threat Landscape reports — EU-specific threat intelligence and trend analysis
• MITRE ATT&CK — adversary behavior taxonomy linking threat actors to techniques
• OpenCTI — open-source threat intelligence platform for operational intelligence
• ISP, CERT, and national CSIRT advisories

How RESILIENTLY Addresses It

• Threat Intelligence Feed — Live OpenCTI-powered threat data with CVE and MITRE ATT&CK enrichment, filterable by sector and actor
• Weekly Threat Digest — Curated intelligence briefing published every Monday covering active campaigns, new CVEs, and sector-specific targeting

What Underwriters Should Ask

1. What ransomware families are actively targeting this organization’s sector?
2. Has the organization been mentioned in any threat actor targeting lists?
3. Are there CISA KEV-listed vulnerabilities in the technologies this organization uses?
4. What initial access vectors are most common in this sector this quarter?
5. How does the current threat landscape compare to 90 days ago?

The critical insight from Layer 1: Threat intelligence isn’t background context — it’s the primary input that determines whether the organization’s security controls (Layer 2) are adequate for the threats they actually face. A “B” security rating means something very different if the organization sits in a sector with 3 active ransomware campaigns versus a sector with 0.

Layer 2: Exposure Surface

Question: How visible and vulnerable is this organization to the threats identified in Layer 1?

Layer 2 translates the general threat landscape into the organization’s specific attack surface. It moves from “ransomware campaigns are exploiting VPNs” to “this organization’s VPN gateway runs unpatched FortiOS with a known critical CVE.”

What It Measures

• Internet-facing services and their patch status
• Subdomain and certificate exposure (dangling DNS, wildcard certificates)
• Supply chain dependencies and inherited vendor risk
• IoT device attack surface (default credentials, unsegmented networks, firmware age)
• SSL/TLS configuration and certificate validity
• Open ports and running services
• Information leakage through HTTP headers

Key Data Sources

• Certificate Transparency logs (crt.sh) — definitive record of all SSL/TLS certificates ever issued
• Shodan — internet-wide scanning of open ports, services, and vulnerabilities
• Censys — attack surface intelligence with host and certificate data
• DNS records and zone files — subdomain enumeration, mail configuration
• Vendor security assessments and SOC 2 reports (for supply chain analysis)

How RESILIENTLY Addresses It

• Domain Exposure Scanner — Passive reconnaissance identifying subdomains, open ports, security header misconfigurations, SSL issues, and technology stack with overall exposure scoring
• Supply Chain Mapper — Third-party vendor risk assessment mapping inherited exposure from critical suppliers

What Underwriters Should Ask

1. How many internet-facing services does this organization expose?
2. Are any of those services running software with known, exploited vulnerabilities?
3. Does the organization use a CDN/WAF, or are services directly exposed?
4. How many third-party vendors have access to critical systems or data?
5. Has the organization had a professional penetration test in the past 12 months, and what were the findings?

The critical insight from Layer 2: Exposure is specific. Layer 1 told you “ransomware is exploiting FortiOS VPN vulnerabilities.” Layer 2 tells you whether the insured organization runs FortiOS. If they do, the Layer 1 threat is directly relevant. If they don’t, it’s ambient noise. This specificity is what separates risk assessment from risk guessing.

Layer 3: Regulatory Posture

Question: Does this organization meet the compliance requirements that govern its cybersecurity obligations?

Regulatory non-compliance creates compounding risk. A technical vulnerability (Layer 2) that also represents a regulatory failure (Layer 3) carries financial penalties that add to breach costs. Underwriters increasingly treat compliance posture as a pricing variable.

What It Measures

• NIS2 entity classification (essential vs. important) and Article 21 compliance
• DORA ICT risk management framework compliance (for financial entities)
• GDPR data processing adequacy
• Sector-specific regulatory requirements (HIPAA, PCI DSS, etc.)
• Compliance documentation and audit readiness
• Incident reporting capability (NIS2 Article 23: 24-hour initial notification requirement)

Key Data Sources

• NIS2 Directive (EU) 2022/2555 — directive text, recitals, and national transpositions
• DORA Regulation (EU) 2022/2554 — ICT risk management, incident reporting, third-party oversight
• ENISA implementation guidance — technical standards and implementation specifications
• National competent authority publications — country-specific enforcement and guidance
• ESA ITS templates — European Supervisory Authorities’ incident reporting templates

How RESILIENTLY Addresses It

• NIS2 Compliance Checker — Full NIS2 assessment covering entity classification, security posture against all Article 21 measures, gap analysis with article-specific recommendations, and reporting requirements
• DORA ICT Risk Checklist — Five-pillar DORA assessment covering ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing

What Underwriters Should Ask

1. Is the organization classified as an essential or important entity under NIS2?
2. Has the organization conducted a formal NIS2 gap analysis?
3. For financial entities: Does the organization have a DORA-compliant ICT risk management framework in place?
4. Can the organization meet the NIS2 24-hour initial notification deadline for significant incidents?
5. What are the maximum regulatory fines this organization faces, and does the policy cover them?

The critical insight from Layer 3: Compliance isn’t binary. Most organizations are partially compliant — strong in some areas, weak in others. The Resilience Stack™ treats compliance as a set of measurable gaps, each with specific remediation steps and financial implications. A 62% NIS2 compliance score tells you more than “compliant” or “non-compliant” — it tells you exactly where the gaps are and what they cost to fix.

For a deeper look at what underwriters should verify, see our NIS2 compliance checklist for brokers and our guide to NIS2 penalties.

Layer 4: Financial Impact

Question: What’s the quantified financial risk in euros?

This is where cyber risk stops being a security exercise and becomes a business decision. Layer 4 translates the findings from Layers 1–3 into the language of CFOs, boards, and insurance actuaries: financial loss estimates expressed as probability distributions.

What It Measures

• Loss Event Frequency (LEF) — how often incidents are expected to occur
• Loss Magnitude (LM) — the financial cost per incident across affected categories
• Loss exceedance curves — the probability that losses exceed specific thresholds
• Annualized Loss Expectancy (ALE) — expected annual cost of cyber risk
• Regulatory fine exposure — maximum and likely penalties from compliance failures
• Scenario-specific cost modeling — ransomware, BEC, data breach, DDoS, supply chain compromise

Key Data Sources

• FAIR (Factor Analysis of Information Risk) methodology — the industry standard for cyber risk quantification
• IBM Cost of a Data Breach Report — annual benchmarking with sector and regional breakdowns
• Ponemon Institute research — cost components and cost drivers per incident type
• ENISA incident cost data — European-specific cost benchmarks
• National regulatory fine schedules — penalty frameworks for NIS2, GDPR, DORA
• Historical claims data — insurance industry loss experience by incident type and sector

How RESILIENTLY Addresses It

• Cyber Risk Calculator — FAIR-based risk quantification producing probability distributions of financial loss, calibrated by industry, revenue, and threat landscape
• Breach Cost Calculator — Per-incident breach cost estimates including notification, forensics, regulatory penalties, and business interruption
• Incident Cost Estimator — Total incident cost modeling across ransomware, BEC, data breach, and supply chain scenarios with adjustable severity parameters

What Underwriters Should Ask

1. What is the organization’s P50 (median) and P95 (worst-case) loss from a ransomware event?
2. What is the Annualized Loss Expectancy for all cyber peril categories combined?
3. Does the organization have a FAIR-compliant cyber risk quantification program?
4. What percentage of the estimated loss is attributable to regulatory fines versus direct costs?
5. How do the cost estimates change if the organization’s security posture improves by 20%?

The critical insight from Layer 4: Financial quantification turns “we’re at risk” into “we face a 5% chance of losing more than €2.1M in a single incident.” That number goes on a balance sheet. It informs retention decisions. It determines how much capacity to buy. Without it, insurance purchasing is guesswork.

For a practical guide to FAIR implementation, see Why Your Cyber Risk Register Is Lying to You which covers FAIR quantification methodology in detail.

Layer 5: Insurance Readiness

Question: How does quantified risk translate to coverage, and where are the gaps?

The final layer bridges risk assessment and insurance decisions. An organization can be fully aware of its threat exposure (Layer 1–2), compliant with all regulations (Layer 3), and have precise financial quantification (Layer 4) — and still fail to present a compelling submission to underwriters. Layer 5 ensures that risk intelligence translates into insurance outcomes.

What It Measures

• Insurability assessment — can this organization get placed, and at what terms?
• Coverage gap analysis — where does existing coverage fall short of identified exposure?
• Pre-qualification scoring — red flags that trigger declinations or coverage restrictions
• Market appetite matching — which markets and capacity providers write risks with this profile
• Submission quality — does the application provide underwriters with the data they need?
• Policy structure optimization — appropriate retentions, sublimits, and exclusions based on Layer 1–4 analysis

Key Data Sources

• Insurance market data — capacity, pricing, and appetite trends by sector and size
• Claims history and loss experience — portfolio-level and organization-specific
• Underwriting guidelines — carrier-specific selection criteria and declination triggers
• Policy form analysis — coverage grant, exclusions, conditions, and definitions
• Broker market intelligence — placement dynamics, competing quotes, and coverage innovation

How RESILIENTLY Addresses It

• Pre-Qualification Assessment — Determines insurability before approaching markets, identifies red flags, and produces underwriter-ready risk summaries
• Coverage Gap Analyzer — Maps existing coverage against identified risks to surface gaps, exclusions, and underinsurance with industry benchmarks

What Underwriters Should Ask

1. Does the organization have a pre-qualification assessment, and what were the results?
2. What is the coverage gap between the P95 loss estimate and the current aggregate limit?
3. Which policy exclusions are most relevant given the Layer 1–4 findings?
4. Has the organization implemented the security controls that underwriters prioritize (MFA, EDR, immutable backups, documented IR plan)?
5. What is the broker’s recommended policy structure (limits, retentions, sublimits)?

The critical insight from Layer 5: Insurance readiness isn’t about whether the risk is good or bad — it’s about whether the risk is presentable. An organization with a Layer 2 exposure finding and a Layer 3 compliance gap can still secure favorable terms if the broker presents the submission with the right data, the right context, and the right narrative. The Resilience Stack™ gives brokers that ammunition.

For practical guidance on coverage analysis, see our coverage analysis guide which examines common cyber insurance coverage gaps.

How the Layers Interact

The Resilience Stack™ isn’t five independent assessments. It’s a connected system where a weakness in one layer amplifies risk in others.

Layer 1 → Layer 2 amplification: When the threat landscape intensifies (new ransomware campaign, zero-day disclosure), existing exposure surface weaknesses become more dangerous. A VPN vulnerability that was “medium risk” in Q1 becomes “critical risk” in Q2 when threat actors begin actively exploiting it.

Layer 2 → Layer 3 amplification: Technical vulnerabilities that also violate regulatory requirements create double exposure. An unpatched internet-facing service (Layer 2) that violates NIS2 Article 21’s requirement for vulnerability management and patch handling (Layer 3) means the organization faces both breach risk and regulatory penalty risk from the same finding.

Layer 3 → Layer 4 amplification: Compliance failures add regulatory fines to breach costs. A GDPR-qualifying data breach that also triggers NIS2 penalties can compound the financial impact by 30–60% through regulatory fines alone. According to DORA, fines for ICT risk management failures can reach 1% of average daily worldwide turnover over the preceding year — a figure that can exceed the direct breach costs for large financial institutions.

Layer 4 → Layer 5 amplification: Financial exposure that exceeds coverage limits creates uninsured risk. A P50 loss of €420K covered by a €500K retention-plus-limit structure is manageable. A P95 loss of €2.1M against the same structure leaves €1.6M uninsured. Layer 5 surfaces these gaps before they become claim disputes.

Cross-layer cascading example:

A ransomware campaign targeting healthcare organizations (Layer 1) exploits an exposed RDP service (Layer 2) at a hospital that fails to meet NIS2 Article 21’s access control requirements (Layer 3), resulting in a P95 financial impact of €3.8M (Layer 4) that exceeds the hospital’s €2M cyber policy limit by €1.8M, with no ransomware-specific sublimit in place (Layer 5). Each layer compounds the previous one.

Practical Application for Underwriters

Underwriters can use the Resilience Stack™ as a structured evaluation framework during the underwriting process:

Step 1: Set the Threat Context (Layer 1)

Before reviewing the application, check current threat intelligence for the applicant’s sector. If the applicant is in healthcare, know that healthcare was the most breached sector in 2025 (IBM). If they’re in financial services, know that BEC drove 58% of insurance claims (Amwins). This context shapes your risk appetite.

Step 2: Validate the Exposure Surface (Layer 2)

Run a passive exposure scan on the applicant’s primary domain. This takes 60 seconds and reveals far more than the application form. If the scan shows 12 unpatched internet-facing services with critical CVEs, the application’s claim of “strong security posture” is contradicted by evidence.

Step 3: Assess Regulatory Exposure (Layer 3)

Determine whether the applicant is classified as an essential or important entity under NIS2. If they are, compliance isn’t optional — and non-compliance carries specific, quantifiable financial penalties that affect the expected loss calculation. Use the NIS2 Compliance Checker to assess Article 21 compliance.

Step 4: Verify Financial Quantification (Layer 4)

If the applicant has conducted FAIR-based risk quantification, review the results. If they haven’t, generate your own estimates using the Cyber Risk Calculator. Compare the P95 loss estimate against the requested policy limits. If P95 exceeds the limit, you have an underinsurance problem.

Step 5: Structure Coverage (Layer 5)

Based on Layers 1–4, determine:

• Appropriate aggregate and per-incident limits
• Required sublimits (ransomware, social engineering, regulatory defense, business interruption)
• Appropriate retention levels
• Necessary exclusions (war/nation-state, infrastructure failure, cryptojacking)
• Conditions and representations (MFA requirement, incident response plan, backup testing)

Underwriting Decision Matrix

Criteria	Strong (Favorable Terms)	Adequate (Standard Terms)	Weak (Decline or Restrict)
Layer 1: Threat	Low sector targeting, no active campaigns	Moderate targeting, standard threat level	High targeting, active campaigns in sector
Layer 2: Exposure	≤5 services, all patched, strong headers	6–15 services, minor gaps	16+ services, critical CVEs, misconfigured
Layer 3: Regulatory	Full compliance, documented evidence	Partial compliance, remediation plan	Non-compliant, no remediation timeline
Layer 4: Financial	P50 < 50% of requested limit	P50 50–80% of requested limit	P50 > 80% of requested limit
Layer 5: Insurability	Pre-qualified, strong submission	Insurable with conditions	Red flags present, declination risk

Practical Application for Brokers

Brokers use the Resilience Stack™ to produce higher-quality submissions and present risk more effectively to underwriters:

Before the Renewal Meeting

1. Run a domain exposure scan (Layer 2, 60 seconds) — Identify any new internet-facing vulnerabilities that have emerged since the last renewal
2. Update the compliance assessment (Layer 3, 5 minutes) — Check whether NIS2/DORA compliance has changed, especially if new regulatory deadlines have passed
3. Recalculate financial exposure (Layer 4, 2 minutes) — Update breach cost estimates with current threat and regulatory data
4. Compare against current coverage (Layer 5, 3 minutes) — Identify any coverage gaps that have widened or narrowed

During the Underwriter Meeting

Present findings in Resilience Stack™ order. Start with Layer 1 threat context (this frames the discussion), then Layer 2 exposure (this shows you’ve done the homework), then Layer 3 compliance (this addresses regulatory risk), then Layer 4 financial quantification (this speaks their language), and finally Layer 5 coverage recommendations (this is the actionable conclusion).

Key Talking Points for Broker Presentations

• “We’ve assessed this client using the Resilience Stack™, a five-layer framework that traces risk from external threats to coverage gaps.”
• “Layer 2 exposure scanning identified 3 services with patches pending — the client has committed to remediation by [date].”
• “Layer 3 compliance shows 78% NIS2 Article 21 compliance, with gaps in incident reporting capability. The client is addressing this with [action].”
• “Layer 4 FAIR analysis produces a P50 loss estimate of €420K and a P95 estimate of €1.8M — the requested €2M aggregate limit provides adequate coverage across scenarios.”
• “Layer 5 analysis confirms no coverage gaps in the current proposal structure, with appropriate sublimits for ransomware and regulatory defense.”

What Makes This Different

The Resilience Stack™ isn’t the first framework for cyber risk assessment, but it’s the first designed specifically for the insurance context. Here’s how it differs from existing approaches:

vs. Security Ratings (Bitsight, SecurityScorecard)

Security ratings measure external observables — configuration issues, vulnerability indicators, peer compromise history. They produce a single score. The Resilience Stack™ produces five dimensional measurements, each with specific, actionable outputs. Where a security rating says “C”, the Resilience Stack™ says “C because of X exposure, Y compliance gaps, and Z financial exposure, creating these specific coverage implications.”

vs. ISO 27001 Certification

ISO 27001 certifies that an information security management system (ISMS) exists and follows specified controls. It’s binary (certified/not certified) and backward-looking (audits past implementation). The Resilience Stack™ is continuous and forward-looking — each layer produces current-state measurements that update as conditions change. It also connects directly to insurance outcomes, which ISO 27001 was never designed to do.

vs. NIST Cybersecurity Framework (CSF)

The NIST CSF organizes cybersecurity activities into five functions: Identify, Protect, Detect, Respond, Recover. It’s an operational framework for security teams. The Resilience Stack™ is a risk assessment framework for insurance professionals. Where NIST CSF asks “are you doing the right security activities?”, the Resilience Stack™ asks “what’s the financial impact of the security activities you’re not doing, and how does that translate to coverage gaps?”

The Insurance-Specific Advantage

No other framework connects threat intelligence to insurance coverage in a structured, measurable way. The Resilience Stack™ was designed from the ground up for the insurance context:

• Each layer produces underwriter-actionable data — not just security metrics, but financial and coverage metrics
• The progression from Layer 1 to Layer 5 mirrors the underwriting thought process — from “what’s the risk?” to “how do we cover it?”
• Every layer maps to free, accessible tools — assessments take minutes, not weeks
• The framework creates a shared vocabulary — threat analysts, compliance officers, risk quantifiers, and insurance professionals all reference the same layers and measurements

Conclusion

Cyber insurance has long operated with incomplete information. Underwriters price risk using ratings that flatten multi-dimensional exposure into single scores. Compliance assessments live in silos disconnected from financial analysis. Coverage decisions are made without traceable connections between threat intelligence and policy structure.

The Resilience Stack™ is RESILIENTLY’s contribution to making cyber insurance more systematic. It provides a shared framework where threat intelligence feeds exposure analysis, exposure feeds compliance assessment, compliance feeds financial quantification, and quantification feeds insurance decisions.

Every layer has free tools available today. Every assessment produces measurable outputs. Every finding connects to the layer above and below it.

Start where you are. If you’re a broker, start at Layer 5 and work backwards to find the data that strengthens your submission. If you’re an underwriter, start at Layer 1 and work forward to build a complete risk picture. If you’re a CISO, start at Layer 2 and build out from there.

The cyber risk landscape doesn’t reward fragmented thinking. The Resilience Stack™ ensures every assessment, every submission, and every decision is grounded in a complete view of risk — from the threat landscape to the insurance policy.

---

The Resilience Stack™ is a proprietary framework developed by RESILIENTLY. For deeper analysis at each layer, explore the full suite of free cyber risk assessment tools.

Sources: IBM Cost of a Data Breach Report 2025; ENISA Threat Landscape 2025; NIS2 Directive (EU) 2022/2555; DORA Regulation (EU) 2022/2554; FAIR Institute quantitative risk analysis standards; Insurance Information Institute cyber insurance survey 2024; Amwins Cyber Market Report 2025; Corvus Insurance Q4 2025 Cyber Threat Report.